It’s the new norm at pubs and cafes but fears have been raised that QR code information is being misused for marketing and profiling.
It’s the new norm at pubs and cafes but fears have been raised that QR code information is being misused for marketing and profiling.

Fears QR code check-in systems being abused

Victoria's privacy watchdog has raised concern businesses are using coronavirus QR code check-in systems to sneakily amass databases for marketing.

It's feared some businesses are collecting unnecessary personal information from customers like their email and residential addresses.

Information Commissioner Sven Bluemmel said misuse of personal information had the potential to erode public trust - "undermining the entire contact tracing system".

Privately operated QR check‐in systems - as well as businesses using pen and paper - were the concern.

 

 

Problems could have implications for customer's privacy and information security.

"Key to effectiveness of any contact tracing system is establishing and maintaining public trust in that system,'' Mr Bluemmel said.

"If personal information is misused, it has the potential to impact the public's trust and their willingness to provide accurate contact details, undermining the entire contact tracing system.

"One really fundamental principle of good privacy is to collect as little personal information as you need."

Under the Chief Health Officer's directions businesses must keep a record of all visitors who stay longer than 15 minutes.

Only their first name, phone number and the date and time they attended are required.

Business must not collect unnecessary personal information.

But Mr Bluemmel said many were unaware of the limits, erred on the side of caution or deliberately asked customers for extra information for unrelated purposes like marketing or profiling.

Smaller businesses and some privately operated check‐in operators were not subject to federal privacy laws - meaning the way personal information was collected, used and disclosed was largely unregulated.
Customers typically had no redress if their personal information was inappropriately used or disclosed by a private check‐in provider or small business they visited.

Businesses have been urged to separate collection of data from contact tracing with marketing activities.
Businesses have been urged to separate collection of data from contact tracing with marketing activities.

Mr Bluemmel said businesses should separate contact tracing QR systems from those used for activities like marketing, loyalty programs and ordering.

"The difficulty is when a business uses an app like that for the purposes of meeting its obligations for contact tracing things can get conflated,'' he said.

"Then you have a situation where as part of a contact tracing effort you may have information that is collected being used for other purposes.

"And that is likely to go against the wishes and understandings of the customers.

"When you're going out to a cafe or having a meal choosing what should happen to your data should not have to be front of mind. You're not going there for the purpose of planning your future digital life."

The state government's free QR code service - which requires only a first name and phone number - was the safest option because personal information was stored on local servers and couldn't be accessed by businesses.

All data collected must be deleted after 28 days unless requested for contact tracing.

The Office of the Victorian Information Commissioner oversees the state government and local councils

The federal privacy commissioner handles the private sector.

wes.hosking@news.com.au

Originally published as Fears QR code check-in systems being abused



Councillors to vote on GKI infrastructure plans

Premium Content Councillors to vote on GKI infrastructure plans

Altum construction director Rob McCready was in Rockhampton on Monday to promote...

Get scripts, chemist supplies delivered with new app

Premium Content Get scripts, chemist supplies delivered with new app

The scripts are filled by a qualified pharmacist and delivered on the same day.

Oz Day ‘joyride’ costs disqualified driver

Premium Content Oz Day ‘joyride’ costs disqualified driver

Tyler Worley fronted a Yeppoon court for the second time in a matter of weeks.